Summary

What is ransomware?

Ransomware is a type of malware that aims to extort money from companies by disrupting their activities. The most widespread type of ransomware targets data and renders information or computer systems unusable until a ransom is paid. When business-critical information gets locked up, most businesses seriously consider paying ransoms to recover it. In many cases, however, paying a ransom does not guarantee that the files will be recovered. Cyber attackers take advantage of the availability of anonymous cyber currencies, like Bitcoin, to monetize ransomware attacks. Read more about how ransomware developed over time.

How is ransomware different from common malware?

The first thing that differentiates ransomware from generic malware is that it is tough to detect. Why? The answer is simple. It does not behave like malware, although its payloads cause a lot of damage. When accessing files, ransomware mimics user behavior very well. It does not usually attempt to replicate to other machines. Instead, it tries to destroy available network files. It grows smarter by developing ways to hide and eluding common detection techniques. It does not perform suspicious memory operations, and it can run on a machine for hours before it is detected as someone tries to access compromised files. Second, ransomware attacks are easier to carry out because of online ransomware platforms available in the TOR anonymity network (read more here). Virtually anybody can launch a ransomware attack without knowing much about coding, and they can monetize this activity using untraceable virtual currencies, such as Bitcoin.

These differences lead to significantly higher numbers of successful infections and far more new variants compared to other malware.

“There were between 2M and 3M successful #ransomware attacks in 2016, and the frequency will double year over year through 2019.”

(Source: Gartner: Predicts 2017: Business Continuity Management and IT Service Continuity Management)

What’s the cost of ransomware incidents?

Well, it can be hundreds to thousands of dollars, depending on the victim’s location and company profile. According to a study by IBM, 70% of all businesses attacked by ransomware paid to recover their files. Half paid over $10,000, while 20% paid over $40,000. In addition to this money, each incident came with several days of downtime, which comes with its own separate costs.

The easiest way to understand the damage ransomware can do is to think about downtime. When it comes down to it, holding data or systems hostage leads to downtime and an inability to perform business activities. How much time can you afford to be unable to do your stuff? Add to that the effort it takes to recover the latest version of your lost files, assess your up-to-date status, and re-do all the work that’s missing. Then consider the cost of data exfiltration, which may happen during a ransomware attack. Evaluating this aspect may involve investigation activities that take up time and money. In addition, such incidents affect your brand, your company image, and your customers’ and partners’ confidence, costs that are difficult to estimate in the long run.

Notable examples:

CryptoWall was the first ransomware to include advanced obfuscation techniques designed to render the malicious payload undetectable by security software. It made over $100M in ransom.

Locky was one of the most prolific ransomware. It made over $200M in ransom over a relatively short period.

What about ransomware protection?

Ransomware is the most critical cybersecurity threat today, and it deserves all the attention it can get. The cost of preventing a ransomware attack significantly exceeds the cost of recovering from one, while the already-high risk of ransomware infection keeps growing. Ransomware protection involves combining employee awareness training with a multilayered approach to security consisting of security solutions specifically designed to protect your files from ransomware.

What is ransomware-as-a-service?

Until recently, ransomware attacks used to be carried out by highly skilled, well-motivated professional cyber attackers. The primary purpose was to obtain money in the form of ransom paid in bitcoins in untraceable transactions. But not anymore. Ransomware attacks became available to unskilled, malicious persons as well under the form of ransomware-as-a-service. Let’s have a look at how it happened, and what are the implications.

To carry out a ransomware attack, a cyber-criminal develops an entire infrastructure:

Engines to send SPAM and phishing emails, the main propagation vector for ransomware;

Botnets that would send the SPAM and phishing emails, built over time using other types of malware;

Anonymous servers to store ransomware packages – where the Phishing and SPAM emails point to;

Technology to package the ransomware payloads in ways that make them difficult to detect;

Various ransomware payloads configured to deliver a customized ransom notes.

With the infrastructure ready the attacker can launch attacks on various targets and wait to collect the ransom. As soon as the infrastructure is available, most of the high-profile technical work is done, and usage of the infrastructure does not require a lot of technical expertise. Hence, the attackers have the opportunity to create another effective revenue source, by renting their ransomware attack infrastructure to anyone who wants to carry out such an attack. Thus, they have a reliable and efficient source of income by getting a margin on the profits of the ransomware operators. Like that, anyone can be a ransomware operator, even without technical knowledge and without a significant initial investment.

Ransomware-as-a-service

The model is similar to the software distribution model where the vendors are replaced by the attackers, and the distribution channel is replaced by the ransomware service operators.

By significantly reducing the level of technical knowledge required to carry out an attack, this cybercrime model greatly increases the number of potential attackers. Consequently, with more actors, the number of attacks will increase significantly.

Examples of existing ransomware-as-a-service

Shark (Cost: 20% of the revenue)

This ransomware has been around for a while, but as of recently, in August 2016, its developers decided to make it available for anyone and built tools that allow creating and configuring Shark ransomware payloads. Any ransomware operator would pay 20% of the revenue made from ransomware attacks using these tools.

Alpha locker (Cost: 65$)

For 65$ you get a ransomware kit that consists of unique ransomware code, a master decryptor program, and an administration panel.

Janus (Cost: variable, depending on the amount of ransom)

This online platform allows the creation of custom variants of Petya and Micha (a couple of the most devastating) and enables the distribution process. The costs depend on the amount of ransom received and vary from 25% to 50% of the revenue made by ransomware operators.

Conclusion

The development of ransomware, the rather exclusive revenue generator into a fully-fledged software distribution model usable by anyone has significant implications. We are likely to see an increasing number of attacks and a broadening of the scope regarding victims. While before money making was the primary driver for running ransomware attacks, and the targets were usually high profile companies able to pay significant amounts in ransom (i.e. healthcare institutions), in the future attacks will occur for any reason and more and more individuals and businesses will fall as victims.

Targeted ransomware attacks

When it comes to ransomware protection, targeted ransomware attacks are very difficult to identify through classic anti-virus technology. Although such attacks are less frequent than their random, mass, counterparts, they are far more devastating and expensive mainly because they have a higher chance of succeeding in encrypting the files. Let’s look at some important differences between targeted and random attacks.

Targeted ransomware attacks scope

Targeted attacks are carried out against a single, particular company or institution. Usually, the victim is a corporation relying heavily on IT and using files as part of their internal processes. Such companies are more likely to need access to files as soon as possible and thus, more likely to pay a ransom.
Random attacks are fired across the internet without specific targets, in an attempt to infect as many machines as possible.

Targeted ransomware attacks technology

Perhaps the most significant difference between regular, mass ransomware attacks and the targeted ones lies in the technology being used, and this also influences the ransomware protection and ransomware prevention methods to consider. While both have the technology to elude standard antivirus engines, targeted attacks also use customized ransomware variants never used before, for which there are no signatures recorded and which are impossible to detect via traditional security solutions. The rule of thumb that guarantees a high rate of success is one variant per valuable target.
On the other hand, the mass ransomware attacks generally use known ransomware variants or samples used in other attacks as well. Classic signature-based solutions are more likely to detect such attacks because the payloads are known.

Targeted ransomware attacks distribution

Targeted attacks use advanced social engineering techniques to deliver the malicious payloads into the network of particular victims. Usually, they spread via email, but the campaigns are targeted, more complex and carried out manually.
Mass ransomware attacks use email campaigns, malicious websites or software exploits to proliferate and are usually performed automatically via SPAM campaigns or via ransomware-as-a-service platforms running in the TOR anonymity network. In general, they are carried out unattended.

Targeted ransomware attacks monetization

Targeted ransomware attacks demand far higher ransom. Most ask for thousands of dollars for a single computer, and the price goes up to hundreds of thousands or even millions, for more machines. Usually, the ransom is hard-coded in the ransomware itself and does not change. The high ransom demand is based on the fact that such companies are in urgent need of files and can also afford the price.
Mass attacks require far less ransom – a few hundred dollars to begin with, based on the fact that the victims are mostly small companies and consumers who do not afford more and because of a lower reliance on IT, they may be willing to lose the files and not pay the ransom.

Ransomware protection and detection

Mass ransomware attacks may be detected by classic, signature-based techniques, provided that the anti-virus is up to date and the vendor is aware of the ransomware variant. However, we must not forget that in many cases, mass ransomware attacks may use zero-day ransomware variants which elude detection. Targeted ransomware attacks are very likely to evade detection of most traditional security tools. To accurately detect targeted attacks using custom, never-seen-before variants, companies need specialized anti-ransomware solutions that are able to detect ransomware based on advanced file-access patterns. Such detection technology delivers the best ransomware detection and outperforms signature-based solutions. Find out why specialized anti-ransomware does way better than anti-virus technology here.

Conclusion

Ransomware attacks support an extended and elaborate cybercrime system that generates massive profits at the expense of legitimate companies and institutions. Clearly bypassing traditional malware in the effectiveness of monetization and with far easier exploitation than other cybercriminal activities like data exfiltration, ransomware is likely to remain the number one threat for the next years. Targeted ransomware attacks finance and support the development of criminal organizations in need of specialized attackers, with their own employment and training system to support more complex, effective and devastating attacks. The Register writes about targeted attacks and how they support cybercriminal organizations here.

Ransomware prevention

There are many tips for ransomware prevention online and about ransomware protection, in general. Most include various commercial solutions that are, indeed, critical to providing adequate protection. We would like, however, to provide some tips on how to stay safe from ransomware infections, without relying on any software solution. It does not mean you should not implement adequate security solutions. You should ultimately combine these tips with the rest of the software-based recommendations, as when used alone, they only reduce the chances of ransomware infections but do not eliminate the risk fully.

1. Do not use privileged user accounts for everyday activity

Most people use computers at home without caring or knowing about the privileges assigned to their user account. The same happens in small and medium companies where IT departments, if present, usually have to deal with tasks that are more important. The result is people are browsing the internet, reading emails, exchanging chat messages, etc., using user accounts with far more privileges than required, usually administrative. Hence, they expose themselves to various types of malware and cyber-attacks, including ransomware.

Fact: out of the many ransomware strains, only a fraction can leverage vulnerabilities to gain privileged rights to execute malicious payloads that encrypt files and attack other computers. In addition, many ransomware variants do not function properly if not executed in a privileged security context. Hence, for ransomware prevention, proper use of privileges is very important.

Risk: running ransomware payload in the context of a regular user account may still compromise the files belonging to that user, but it is unlikely to compromise the files owned by other users or attack other computers on the network.

2. For ransomware prevention, exhibit caution when using email

Email is the most important ransomware infection vector. The vast majority of ransomware attacks have the following entry point: somebody clicking a link in an email or opening an email attachment. So, for ransomware prevention, the obvious advice is not to click on such links or open such attachments. The issue is: “How do I identify such emails?”.

Here are some pointers that may help you out:

Unsolicited email (and email sent by new senders) is the first candidate for the “deleted items” folder. It is rarely valid messages you should consider; Express caution and go through the email message before taking further actions such as clicking on links and opening attachments;

Note the email address listed under email sender. If it looks like automatically generated, or containing characters that make little sense, then that is another red flag. Usually, the email address is different than the sender name listed by your email client;

Express caution when receiving an email from well-known corporations or brands. Especially those messages promising something for nothing, or looking too good to be true. Many ransomware email campaigns rely on messages disguised as valuable product offers or notices from shops or service providers. Like this phishing campaign based on Netflix.

Irrespective of the sender, carefully assess this fact: Should you, or should you not receive an email from this sender?

If you should not (Email appearing to be from Netflix with important information about your account, but you do not have a Netflix account), then it is most probably something else than it appears to be.

If you should, or are not sure, carefully read the contents and verify the address as per the other tips This point also applies to social media; sometimes ransomware may spread like this too. So express caution when receiving messages from unknown persons, especially the ones that have a call to action, and insist on it.

3. For ransomware avoidance, surf the internet responsibly

Similarly to email, for ransomware prevention, try to avoid those websites that are dubious:

Have many adverts on the page;

Open many pop-out windows;

Have some questionable images or videos with high visual impact;

Provide essential advice on something using huge letters;

Give you free something;

Ask you to do something like clicking on links, etc., in exchange for something else, usually too good to be true.

Promise to offer copyrighted content for free;

If you come across such a website, there are big chances that the site passes on ransomware or other malware that in turn downloads ransomware.

Disable macros
The macro functions in the modern text editors are rarely used. However, they are enabled most of the times. Many ransomware families are using macro functionality to execute malware that, in turn, sets the stage for a ransomware infection. It is a good idea to disable macros, and only enable them whenever needed, and only if the source of the document that requires macro functionality is trustworthy.

Ransomware is an important phenomenon nowadays and dealing with it is a top concern of IT admins. This type of malware is capable of incurring enormous costs on businesses that rely on IT to carry out everyday activities so enterprise ransomware protection became a hot topic in IT communities. From our experience, simple measures and the right technology, all packed in a multi-layered security strategy, are enough to protect against ransomware without investing big budgets. Here is our advice:

Ransomware protection layers

1. Train employees to identify suspicious emails and websites

Most ransomware arrives via email SPAM campaigns or malicious websites, so employee awareness in this respect helps a lot preventing ransomware infections. Users should learn how to detect suspicious emails, although attackers put a lot of effort into making them appealing. SPAM campaigns claiming to offer something for nothing and document attachments labeled as very important but sent by suspicious email addresses are easy to spot with the right training, and simple tests carried out from time to time.

2. Use anti-ransomware technology for best ransomware protection

Specialized anti-ransomware technology covers the gap left open by antivirus software unable to deal with zero-day and custom ransomware variants that have not been researched. Ransomware mimics user behavior very well and “benefits” from the latest obfuscation technology built to elude antivirus detection. It is environmentally aware, avoids sandboxes and virtual environments and can even detect antivirus engines. Specialized anti-ransomware does not rely on updates or common antivirus technology, but instead detects the ransomware based on the actions it takes on a machine. Such software is highly efficient in detecting and stopping ransomware, as well as protecting the files and allowing data recovery in case of ransomware incidents.

3. Use antivirus technology to improve on ransomware protection

Antivirus technology protects against common malware and reduces the chance of ransomware infections by stopping known variants before they run on your systems. Such technology should be used in conjunction with anti-ransomware technology for best protection.

4. Use backup to ensure business continuity

Any company should have a disaster recovery plan in place, and backup software is a critical part of it. When it comes to ransomware protection, in lack of appropriate solutions, you always lose the files between the last backup and the unfortunate incident. Since backup in real time is a problem for IT, many companies settle for daily backups of critical data. This may or may not be enough. Ideally, backup for disaster recovery should be combined with anti-ransomware technology to ensure that:
– You do not lose any files – as anti-ransomware technology restores the latest modified files, adding to whatever is being recovered from daily backups;
– You do not backup encrypted files – Yes, this is a major issue as the backup software does not have enough awareness to identify such files. The last thing you want is to have backups of encrypted data which cannot be restored and no clue about it.

5. Keep your systems up to date

Although the majority of ransomware does not have worm-like capabilities, WannaCry demonstrated once again that malware is evolving and included features that enabled it to spread, exploiting system vulnerabilities. Having the systems and applications up to date reduces the risk of such incidents spreading.
Having a multi-layered security approach for ransomware protection is a considerable effort for IT departments. Planning, implementation, testing and validation all take time and involve costs, but think about the cost a single ransomware incident can incur: for how long do you afford to be shut down? How much does it cost to recover from such events (data, reputation, lost deliverables, etc.)? Ransomware cost per incident exceeds the cost of implementing and maintaining a multi-layered security strategy for a medium enterprise.

How we can help

Our dedicated solution TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss. TEMASOFT Ranstop is at the core of any multi-layered security strategy designed for enterprise ransomware protection.

Ransomware protection – How to protect against ransomware?

We recommend against paying the ransom!

Most industry experts, authorities and security vendors advise against paying the ransom when infected with ransomware, and there are several reasons for doing so. First, paying ransom encourages the ransomware phenomenon, and more and more cyber-criminals will attempt to profit in this way. It verifies the fact that money can be made out of this, easily. Then, money obtained from such activities usually finance far more dangerous underground markets and organizations, linked with drugs and weapons trafficking and terrorism.
The above reasons, however, may be considered weak, for a ransomware victim in acute need to access the lost data. It is a difficult decision to make: get your data back in exchange for payment, or do not get your data back, but align with the ethics. This is why many pay the ransom in spite of the general advice.

However, when ransomware protection fails, there is a better reason not to pay the ransom. Although cyber attackers claim that paying the ransom allows data recovery, it is not always the case. There are many situations when victims have not recovered the data after having paid the ransom demanded by the attackers. We are going to have a look at three such scenarios:

1. Paying the ransom when the infection is caused by a “wiper“

Researchers have found numerous strains of malware that although apparently behave like ransomware, have no technical means to allow victims to recover the data. In this case, the attackers never intended to give you any data back.
It is often difficult to tell the difference between “legitimate” ransomware and such “wipers” because of the actions it takes on the target computer:

It may create files with weird extensions;

It makes original files unavailable, usually by deleting them;

It deploys ransom notes.

When analyzing the behavior in detail, the original files are never actually encrypted. There is no infrastructure and technical implementation in place to allow data recovery. Such malware only wipes out your data. Paying the ransom, in this case, is futile and the files may never be recovered. Such an example was discovered by security researchers at Cisco and the malware ws named Ranscam. It is a typical case of malware that simply destroys files. Similar malware attacks the file allocation table. More details here.
Another recent example is RedBoot. It attacks the master boot record and alters the partitions in a way that makes a recovery impossible, from the technical point of view.

2. Paying the ransom when the infection is caused by incomplete ransomware having “inadvertent” design flaws

Other cases involve well-known ransomware families, that, let’s say, have a “proven” history of recovering the data after the ransom is paid. In such cases, the behavior of the ransomware is very similar to the one of the well-known ransomware family:

Files are encrypted on the hard drive;

The encrypted content gets the same extension as the ransomware family this malware mimics;

Alternately, if the well-known family attacks the boot sector, similar behavior is implemented;

Apparently, there is functionality to allow the entire data recovery process to happen: the victim gets assigned an install id, there are detailed instructions on how to pay the ransom and recover the data, etc

However, there are cases where the researchers have found that the functionality for data recovery implemented by the attackers cannot technically deliver the desired results.
A good example is NotPetya, later called “Shamoon wiper”: it is very similar in behavior with Petya, a ransomware attacking the boot sector. Petya has a “proven” record of successful data recoveries. In fact, researchers first attributed such attacks to a “new variant of Petya.” However, later, the researchers have found that key aspects required for the data recovery process, such as the installation ID of the victim, are populated with random information. This means that the attackers cannot unlock the victims’ data. More information here.

3. Ransomware does have bugs, and no, attackers will not debug nor provide support

There are many cases where a ransomware family, known to allow data recovery after paying the ransom, has technical issues that manifest only under certain, specific circumstances. In such cases, those victims, who have particular environments causing the ransomware to fail in the data recovery process, also lose their files in spite of paying the ransom.
The ransomware developers focus on making the ransomware profitable. This means it has to be stealthy and bypass known security measures in place; it has to have an automated infrastructure to allow mass monetization of the ransom, etc. They do not focus on making sure that the data recovery process works in most cases, if at all.
There are several points where ransomware may fail in the data recovery process:

Inability to gather the necessary data from the victim, to build the essential recovery items;

Failure to communicate over the internet with the command sever – crucial in the data recovery process;

Infrastructure issues that cause the control servers to generate faulty recovery keys that do not work.

Like any other software, there are situations where the technical implementation fails, and this ultimately leads to losing both the data and the ransom money.

Conclusion

To summarize, some attackers never intend to give any data back; others give up at some point and do not properly implement their data recovery functionality and there are some who do not test their ransomware well enough. In either case, if ransomware protection fails, both money and data are lost, and the chances of this happening are not negligible. Enterprise ransomware protection is key to preventing such attacks from happening.

For more information, follow us on social media and subscribe to our newsletter.